Security of information being transferred over the internet is of great importance to many users, especially when the information being transferred contains particularly confidential information such as credit card numbers, etc. that a person does not want to fall into the hands of a third party.
Almost all transmissions of confidential information over the Internet are encrypted to prevent it from being intercepted and used by third parties. Whenever a client computer connects and transmits information to a remote computer or server an elaborate “hand shake” method of authenticating the devices and providing algorithms and codes to encrypt the information is performed. This encryption is used to prevent the transmission from being intercepted and read by a third party if it happens to be intercepted. A third party is hopefully unable to decrypt the encrypted information making the encrypted information inaccessible to third parties. This secures the information as it is transmitted over the Internet.
However, the confidential information is susceptible if it is intercepted in an unencrypted form on the client computer. A Trojan horse program or other program can be secretly installed on a client computer in which the confidential information is present in an unencrypted form. If a user types in the confidential information or the confidential information is available in an unencrypted form on the client computer, the program may be able to obtain the confidential information before it is encrypted by the client computer and pass the information on to a third party that caused the program to be installed on the client computer.
One way this problem has been addressed is to have a separate computer device connected to a client computer. The client computer is connected to the internet and is capable of communication with other devices over the internet. The separate computer device however is not connected to the internet, but rather is connected directly to the client computer and only capable of communicating with the client computer. When confidential information has to be sent to a remote device over the internet, the separate device obtains the confidential information and inserts it into the message to be sent. The separate computer device then encrypts the message containing the confidential information before passing it back encrypted to the client computer for transmission to a remote computer. The confidential information could be obtained by having a user manually enter it into the separate computer device with a keypad, swipe strip, memory card, etc. or it could already be present on the separate device. Because the separate computer device is only in communication with the client computer and is not accessible through the internet directly, any communication over the internet must be done through the client computer. This prevents a Trojan horse or other program resident on the client computer from gaining access to the unencrypted confidential information.
However, while this provides the separate computer device with very beneficial advantages in regards to the confidential information being inaccessible by the client computer or any other remote computer that has gained access to the client computer, it causes the separate computer device to be dependent on the client computer for any information it needs to obtain through the Internet. A process running on the client computer could be used to create a man-in-the-middle attack, fooling the separate computer device into communicating the confidential information to a third party rather than the desired remote computer.
SSL and TLS are cryptographic protocols used to provide secure transmission of information over the internet. These protocols typically provide authentication of the endpoint (the remote computer the client device is in communication with) and encryption of the information to be communicated. Typically, three basic phases are used: the handshake or peer negotiation phase; the key exchange and authentication phase; and the encryption and message authentication phase. In the handshake phase, the two communication devices determine algorithms that will be used in the communication including the cipher and hash algorithms. In the key exchange and authentication phase the server typically sends back a digital certificate which contains the server's name, a trusted certificate authority and the server's public encryption key. In the encryption and message authentication phase, messages between the client and server are encrypted, sent, decrypted and authenticated.
The digital certificate used in the key exchange and authentication phase contains a digital signature that combines a public key that the client computer can use for encryption with information identifying the remote computer and the organization behind the remote computer. The digital certificate is meant to allow the client computer to verify that a received public key originated from the remote computer. In many cases, the digital certificate usually contains a trusted certificate authority.
In theory, the client computer can contact the server of the trusted certificate authority to confirm that the digital certificate is authentic before proceeding with communication with the remote computer. However, in many cases, the trusted certificate authority providing the digital certificate is unknown to the client computer so another digital certificate provided by a higher certificate authority is used to verify the first digital certificate. In this manner a chain of ever higher digital certificates are used with each higher digital certificate verifying the certificate authority issuing the lower digital certificate. In this manner, a certification path consisting of this chain of digital certificates is used until a root certificate issued by a certificate authority theoretically trusted by all is reached, ending the chain.
Because the separate computer device only has access to the Internet through the client computer in order to obtain its security benefits, the separate computer device must receive the digital certificate and the certificate path including the root certificate from the client computer. Typically, a client computer uses the digital certificate to authenticate a remote computer by obtaining the public key of the certificate authority that has “signed” the certificate. The digital certificates work by allowing a device to obtain the public key directly over the Internet to confirm the digital certificate is valid. Typically, the public key of the root certificate issuer is obtained and used with the certification path to verify all of the digital certificates down to the original one provided by the remote computer.
The client computer can easily obtain over the internet the well known public key of the authority providing the root certificate (although typically these public keys are updated periodically and often stored on the client computers themselves). However, because the separate computer device does not have direct access to the Internet, but rather only indirect access through the client computer, the separate computer device must accept information provided by the client computer. This means that to obtain a key associated with a root certificate, the separate computer device must receive the root certificate from the client computer. If the client device is compromised, the client computer could be made to pass digital certificate, certification path and root certificate to the separate computer device claiming it is the correct digital certificate and certification path and the separate computer device will have to accept it as true because it cannot access the Internet to verify the accuracy of the root certificate. In this way, a third party can manufacture a false certificate and the separate computer device can be fooled into authenticating the third party rather than the intended remote device, causing the separate computer device to use an encryption key provided by the third party and share encrypted information with the third party that the third party can then decrypt, allowing the third party to decrypt the information and obtain the sensitive or confidential information.
It is desirable to provide a method and apparatus that has the advantages of using a separate computer device to encrypt messages that still allows the separate computer device to authenticate a public key belongs to a remote server.